cbac 0.6.1 → 0.6.2

data/lib/generators/cbac/copy_files/migrate/create_cbac_upgrade_path.rb

@@ -1,31 +1,40 @@
-class CreateCbacUpgradePath < ActiveRecord::Migration
-  def self.up
-
-    create_table :cbac_staged_permissions do |t|
-      t.integer :pristine_role_id
-      t.string :privilege_set_name
-      t.integer :line_number
-      t.string :comment
-      t.text :operation, :limit => 2
-      t.timestamps
-    end
-
-    create_table :cbac_staged_roles do |t|
-      t.string :role_type
-      t.string :name
-      t.integer :role_id
-      t.timestamps
-    end
-    
-    create_table :cbac_known_permissions do |t|
-      t.integer :permission_number, :null => :no
-      t.integer :permission_type, :default => 0
-    end
-  end
-
-  def self.down
-    drop_table :cbac_staged_permissions
-    drop_table :cbac_staged_roles
-    drop_table :cbac_known_permissions
-  end
-end
+class CreateCbacUpgradePath < ActiveRecord::Migration
+  def self.up
+
+    create_table :cbac_pristine_files do |t|
+      t.string :type
+      t.string :file_name
+      t.timestamps
+    end
+
+    create_table :cbac_staged_permissions do |t|
+      t.integer :pristine_role_id
+      t.integer :pristine_file_id
+      t.string :privilege_set_name
+      t.integer :line_number
+      t.string :comment
+      t.text :operation, :limit => 2
+      t.timestamps
+    end
+
+    create_table :cbac_staged_roles do |t|
+      t.string :role_type
+      t.string :name
+      t.integer :role_id
+      t.timestamps
+    end
+    
+    create_table :cbac_known_permissions do |t|
+      t.integer :permission_number, :null => :no
+      t.integer :permission_type, :default => 0
+    end
+
+  end
+
+  def self.down
+    drop_table :cbac_pristine_files
+    drop_table :cbac_staged_permissions
+    drop_table :cbac_staged_roles
+    drop_table :cbac_known_permissions
+  end
+end

data/lib/generators/cbac/copy_files/stylesheets/cbac.css

@@ -1,65 +1,65 @@
-/****
-* General 
-*/
-
-div.cbac h1 {
-
-}
-
-div.cbac table {
-    padding: 0px;
-    margin: 0px;
-    border-collapse: collapse;
-}
-
-div.cbac div.linebreak {
-    height: 20px;
-}
-
-/****
-* Table
-*/
-
-div.cbac th {
-    background-color: #ABEB71;
-}
-
-div.cbac td, div.cbac th {
-    border: 1px solid black;
-}
-
-div.cbac td.small, div.cbac th.small {
-    width: 50px;
-}
-
-div.cbac td.medium, div.cbac th.medium {
-    width: 150px;
-}
-
-div.cbac td.large, div.cbac th.large {
-    width: 600px;
-}
-
-div.cbac td.checked {
-    text-align: center;
-}
-
-div.cbac td.submit {
-    text-align: right;
-}
-
-/****
-* Controls
-*/
-
-div.cbac input[type="text"] {
-    margin: 2px;
-}
-
-div.cbac td.medium input[type="text"] {
-    width: 138px;
-}
-
-div.cbac td.large input[type="text"] {
-    width: 588px;
-}
+/****
+* General 
+*/
+
+div.cbac h1 {
+
+}
+
+div.cbac table {
+    padding: 0px;
+    margin: 0px;
+    border-collapse: collapse;
+}
+
+div.cbac div.linebreak {
+    height: 20px;
+}
+
+/****
+* Table
+*/
+
+div.cbac th {
+    background-color: #ABEB71;
+}
+
+div.cbac td, div.cbac th {
+    border: 1px solid black;
+}
+
+div.cbac td.small, div.cbac th.small {
+    width: 50px;
+}
+
+div.cbac td.medium, div.cbac th.medium {
+    width: 150px;
+}
+
+div.cbac td.large, div.cbac th.large {
+    width: 600px;
+}
+
+div.cbac td.checked {
+    text-align: center;
+}
+
+div.cbac td.submit {
+    text-align: right;
+}
+
+/****
+* Controls
+*/
+
+div.cbac input[type="text"] {
+    margin: 2px;
+}
+
+div.cbac td.medium input[type="text"] {
+    width: 138px;
+}
+
+div.cbac td.large input[type="text"] {
+    width: 588px;
+}

data/lib/generators/cbac/copy_files/tasks/cbac.rake

@@ -1,345 +1,345 @@
-#TODO: zip (or something) the directory resulting from a snapshot and delete it
-#TODO: unzip (or something) the provided snapshot and load from it, then delete temp dir
-#TODO: add staging area to extracted snapshot, inserted snapshot, clearing code, etc.
-
-#TODO: add comments to pristine lines, in a Comment() style
-
-# WARNING: Non-changes are not saved as known_permissions when using pristine or such. THIS IS NOT A BUG! Think of the following scenario:
-# 1) Developers grant permission X
-# 2) User deploys. Permission X is granted in the database.
-# 3) User revokes permission X
-# 4) Developers revoke permission X
-# 5) User upgrades. No change in permission X detected, (since devteam and user agree) so the user is not prompted to accept the change.
-# 6) User grants permission X again
-# 7) User upgrades again. At this point, we want the user to be warned that the devteam thinks granting this permission is not a good idea. 
-#    This is only possible if the non-change in #5 is not registered as KnownChange
-
-# Get a privilege set that fulfills the provided conditions
-  def get_privilege_set(conditions)
-    Cbac::PrivilegeSetRecord.first(:conditions => conditions)
-  end
-
-# Get a Hash containing all entries from the provided table
-  def select_all(table)
-    ActiveRecord::Base.connection.select_all("SELECT * FROM %s;" % table)
-  end
-
-# Generate a usable filename for dumping records of the specified type
-  def get_filename(type)
-    "#{ENV['SNAPSHOT_NAME']}/cbac_#{type}.yml"
-  end
-
-  def load_objects_from_yaml(type)
-    filename = get_filename(type)
-
-    Yaml.load_file(filename)
-  end
-
-# Dump the specified permissions to a YAML file
-  def dump_permissions_to_yaml_file(permissions)
-    permissions.each do |cp|
-      privilege_set_name = get_privilege_set(:id => cp['privilege_set_id']).name
-      cp['privilege_set_id'] = "<%= Cbac::PrivilegeSetRecord.find(:first, :conditions => {:name => '#{privilege_set_name}'}).id %>"
-    end
-    dump_objects_to_yaml_file(permissions, "permissions")
-  end
-
-# Dump a set of objects to a YAML file. Filename is determined by type-string
-  def dump_objects_to_yaml_file(objects, type)
-    filename = get_filename(type)
-
-    puts "Writing #{type} to disk"
-
-    File.open(filename, "w") do |output_file|
-      index = "0000"
-      output_file.write objects.inject({}) { |hash, record|
-        hash["#{type.singularize}_#{index.succ!}"] = record
-        hash
-      }.to_yaml
-    end
-  end
-
-  def get_cbac_pristine_adapter
-    adapter_class = Class.new
-    adapter_class.send :include, Cbac::CbacPristine
-    adapter_class.new
-  end
-
-  namespace :cbac do
-    desc 'Initialize CBAC tables with bootstrap data. Allows ADMINUSER to log in and visit CBAC administration pages. Also, if a Privilege Set called "login" exists, this privilege is granted to "everyone"'
-    task :bootstrap => :environment do
-      adapter = get_cbac_pristine_adapter
-      if adapter.database_contains_cbac_data?
-        if ENV['FORCE'] == "true"
-          puts "FORCE specified: emptying CBAC tables"
-          adapter.clear_cbac_tables
-        else
-          puts "CBAC bootstrap failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
-          exit
-        end
-      end
-
-      adminuser = ENV['ADMINUSER'] || 1
-      login_privilege_set = get_privilege_set(:name => "login")
-      everybody_context_role = ContextRole.roles[:everybody]
-      if !login_privilege_set.nil? and !everybody_context_role.nil?
-        puts "Login privilege exists. Allowing context role 'everybody' to use login privilege"
-        login_permission = Cbac::Permission.new(:context_role => 'everybody', :privilege_set_id => login_privilege_set.id)
-        throw "Failed to save Login Permission" unless login_permission.save
-      end
-
-      puts "Creating Generic Role: administrators"
-      admin_role = Cbac::GenericRole.new(:name => "administrator", :remarks => "System administrators - may edit CBAC permissions")
-      throw "Failed to save new Generic Role" unless admin_role.save
-
-      puts "Creating Administrator Membership for user #{adminuser}"
-      membership = Cbac::Membership.new(:user_id => adminuser, :generic_role_id => admin_role.id)
-      throw "Failed to save new Administrator Membership" unless membership.save
-
-      begin
-        admin_privilege_set_id = get_privilege_set({:name => 'cbac_administration'}).id
-      rescue
-        throw "No PrivilegeSet cbac_administration defined. Aborting."
-      end
-      cbac_admin_permission = Cbac::Permission.new(:generic_role_id => admin_role.id, :privilege_set_id => admin_privilege_set_id)
-      throw "Failed to save Cbac_Administration Permission" unless cbac_admin_permission.save
-
-      puts <<EOF
-**********************************************************
-* Succesfully bootstrapped CBAC. The specified user (# #{adminuser} ) *
-* may now visit the cbac administration pages, which are *
-* located at the URL /cbac/permissions/index by default  *
-**********************************************************
-EOF
-    end
-
-    desc 'Extract a snapshot of the current authorization settings, which can later be restored using the restore_snapshot task. Parameter SNAPSHOT_NAME determines where the snapshot is stored'
-    task :extract_snapshot => :environment do
-      if ENV['SNAPSHOT_NAME'].nil?
-        puts "Missing argument SNAPSHOT_NAME. Substituting timestamp for SNAPSHOT_NAME"
-        require 'date'
-        ENV['SNAPSHOT_NAME'] = DateTime.now.strftime("%Y%m%d%H%M%S")
-      end
-
-      if File::exists?(ENV['SNAPSHOT_NAME']) # Directory already exists!
-        if ENV['FORCE'] == "true"
-          puts "FORCE specified - overwriting older snapshot with same name."
-        else
-          puts "A snapshot with the given name (#{ENV['SNAPSHOT_NAME']}) already exists, and overwriting is dangerous. Specify FORCE=true to override this check"
-          exit
-        end
-      else # Directory does not exist yet
-        FileUtils.mkdir(ENV['SNAPSHOT_NAME'])
-      end
-
-      puts "Extracting CBAC permissions to #{ENV['SNAPSHOT_NAME']}"
-
-      # Don't need privilege sets since they are loaded from a config file.
-      staged_changes = select_all "cbac_staged_permissions"
-      dump_objects_to_yaml_file(staged_changes, "staged_permissions")
-
-      staged_roles = select_all "cbac_staged_roles"
-      dump_objects_to_yaml_file(staged_roles, "staged_roles")
-
-      permissions = select_all "cbac_permissions"
-      dump_permissions_to_yaml_file(permissions)
-
-      generic_roles = select_all "cbac_generic_roles"
-      dump_objects_to_yaml_file(generic_roles, "generic_roles")
-
-      memberships = select_all "cbac_memberships"
-      dump_objects_to_yaml_file(memberships, "memberships")
-
-      known_permissions = select_all "cbac_known_permissions"
-      dump_objects_to_yaml_file(known_permissions, "known_permissions")
-    end
-
-    desc 'Restore a snapshot of authorization settings that was extracted earlier. Specify a snapshot using SNAPSHOT_NAME'
-    task :restore_snapshot => :environment do
-      adapter = get_cbac_pristine_adapter
-      if ENV['SNAPSHOT_NAME'].nil?
-        puts "Missing required parameter SNAPSHOT_NAME. Exiting."
-        exit
-      elsif adapter.database_contains_cbac_data?
-        if ENV['FORCE'] == "true"
-          puts "FORCE specified: emptying CBAC tables"
-          adapter.clear_cbac_tables
-        else
-          puts "Reloading snapshot failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
-          exit
-        end
-      end
-
-      puts "Restoring snapshot #{ENV['SNAPSHOT_NAME']}"
-
-      ENV['FIXTURES_PATH'] = ENV['SNAPSHOT_NAME']
-
-      # Don't need privilege sets since they are loaded from a config file.
-      ENV['FIXTURES'] = "cbac_generic_roles,cbac_memberships,cbac_known_permissions,cbac_permissions,cbac_staged_permissions, cbac_staged_roles"
-
-      Rake::Task["db:fixtures:load"].invoke
-      puts "Successfully restored snapshot."
-      #TODO: check if rake task was successful. else
-      #  puts "Restoring snapshot failed."
-      #end
-    end
-
-    desc 'Restore permissions to factory settings by loading the pristine file into the database'
-    task :pristine => :environment do
-      adapter = get_cbac_pristine_adapter
-      if adapter.database_contains_cbac_data?
-        if ENV['FORCE'] == "true"
-          puts "FORCE specified: emptying CBAC tables"
-        else
-          puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
-          exit
-        end
-      end
-
-      if ENV['SKIP_SNAPSHOT'] == 'true'
-        puts "\nSKIP_SNAPSHOT provided - not dumping database."
-      else
-        puts "\nDumping a snapshot of the database"
-        Rake::Task["cbac:extract_snapshot"].invoke
-      end
-      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
-      puts "Parsing pristine file #{filename}"
-      pristine_file = adapter.create_pristine_file(filename)
-      adapter.set_pristine_state([pristine_file], true)
-      puts "Applied #{pristine_file.permissions.length.to_s} permissions."
-      puts "Task cbac:pristine finished."
-    end
-
-    desc 'Restore generic permissions to factory settings'
-    task :pristine_generic => :environment do
-      adapter = get_cbac_pristine_adapter
-      if adapter.database_contains_cbac_data?
-        if ENV['FORCE'] == "true"
-          puts "FORCE specified. Dropping all generic permissions and replacing them with generic pristine"
-          adapter.delete_generic_known_permissions
-          adapter.delete_generic_permissions
-        else
-          puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
-          exit
-        end
-      end
-
-      if ENV['SKIP_SNAPSHOT'] == 'true'
-        puts "\nSKIP_SNAPSHOT provided - not dumping database."
-      else
-        puts "\nDumping a snapshot of the database"
-        Rake::Task["cbac:extract_snapshot"].invoke
-      end
-
-      filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
-      puts "Parsing pristine file #{filename}"
-      pristine_file = adapter.create_generic_pristine_file(filename)
-      adapter.set_pristine_state([pristine_file], false)
-      puts "Applied #{pristine_file.permissions.length.to_s} permissions."
-      puts "Task cbac:pristine_generic finished."
-    end
-
-    desc 'Restore all permissions to factory state. Uses the pristine file and the generic pristine file'
-    task :pristine_all => :environment do
-      adapter = get_cbac_pristine_adapter
-      if adapter.database_contains_cbac_data?
-        if ENV['FORCE'] == "true"
-          puts "FORCE specified: emptying CBAC tables"
-        else
-          puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
-          exit
-        end
-      end
-
-      if ENV['SKIP_SNAPSHOT'] == 'true'
-        puts "\nSKIP_SNAPSHOT provided - not dumping database."
-      else
-        puts "\nDumping a snapshot of the database"
-        Rake::Task["cbac:extract_snapshot"].invoke
-      end
-      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
-      generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
-      puts "Parsing pristine file #{filename} and generic pristine file #{generic_filename}"
-      pristine_file = adapter.create_pristine_file(filename)
-      generic_pristine_file = adapter.create_generic_pristine_file(generic_filename)
-      adapter.set_pristine_state([pristine_file, generic_pristine_file], true)
-      puts "Applied #{pristine_file.permissions.length.to_s} permissions and #{generic_pristine_file.permissions.length.to_s} generic permissions."
-      puts "Task cbac:pristine_all finished."
-    end
-
-    desc 'Upgrade permissions by adding them to the staging area. Does not upgrade generic permissions'
-    task :upgrade_pristine => :environment do
-      adapter = get_cbac_pristine_adapter
-      if ENV['SKIP_SNAPSHOT'] == 'true'
-        puts "\nSKIP_SNAPSHOT provided - not dumping database."
-      else
-        puts "\nDumping a snapshot of the database"
-        Rake::Task["cbac:extract_snapshot"].invoke
-      end
-
-      ENV['CHANGE_TYPE'] = 'context'
-      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
-      puts "Parsing pristine file #{filename}"
-
-      pristine_file = adapter.create_pristine_file(filename)
-      adapter.delete_non_generic_staged_permissions
-      puts "Deleted all staged context and administrator permissions"
-
-      adapter.stage_permissions([pristine_file])
-      puts "Staged #{adapter.number_of_non_generic_staged_permissions.to_s} permissions."
-      puts "Task cbac:upgrade_pristine finished."
-    end
-
-
-    desc 'Upgrade generic permissions by adding them to the staging area. Does not upgrade context or admin permissions.'
-    task :upgrade_pristine_generic => :environment do
-      adapter = get_cbac_pristine_adapter
-      if ENV['SKIP_SNAPSHOT'] == 'true'
-        puts "\nSKIP_SNAPSHOT provided - not dumping database."
-      else
-        puts "\nDumping a snapshot of the database"
-        Rake::Task["cbac:extract_snapshot"].invoke
-      end
-
-      ENV['CHANGE_TYPE'] = 'context'
-      generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
-
-      puts "Parsing pristine file #{generic_filename}"
-      generic_pristine_file = adapter.create_generic_pristine_file(generic_filename)
-
-      adapter.delete_non_generic_staged_permissions
-      puts "Deleted all staged generic permissions"
-
-      adapter.stage_permissions([generic_pristine_file])
-      puts "Staged #{adapter.number_of_generic_staged_permissions.to_s} generic permissions."
-      puts "Task cbac:upgrade_pristine finished."
-    end
-
-    desc 'Upgrade all permissions by adding them to the staging area.'
-    task :upgrade_all => :environment do
-      adapter = get_cbac_pristine_adapter
-      if ENV['SKIP_SNAPSHOT'] == 'true'
-        puts "\nSKIP_SNAPSHOT provided - not dumping database."
-      else
-        puts "\nDumping a snapshot of the database"
-        Rake::Task["cbac:extract_snapshot"].invoke
-      end
-
-      ENV['CHANGE_TYPE'] = 'context'
-      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
-      generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
-      puts "Parsing pristine file #{filename} and generic pristine file #{generic_filename}"
-
-      pristine_file = adapter.create_pristine_file(filename)
-      generic_pristine_file = adapter.create_generic_pristine_file(generic_filename)
-
-      adapter.delete_generic_staged_permissions
-      adapter.delete_non_generic_staged_permissions
-      puts "Deleted all current staged permissions"
-
-
-      adapter.stage_permissions([pristine_file, generic_pristine_file])
-      puts "Staged #{adapter.number_of_non_generic_staged_permissions.to_s} permissions and #{adapter.number_of_generic_staged_permissions.to_s} generic permissions."
-      puts "Task cbac:upgrade_all finished."
-    end
-end
+#TODO: zip (or something) the directory resulting from a snapshot and delete it
+#TODO: unzip (or something) the provided snapshot and load from it, then delete temp dir
+#TODO: add staging area to extracted snapshot, inserted snapshot, clearing code, etc.
+
+#TODO: add comments to pristine lines, in a Comment() style
+
+# WARNING: Non-changes are not saved as known_permissions when using pristine or such. THIS IS NOT A BUG! Think of the following scenario:
+# 1) Developers grant permission X
+# 2) User deploys. Permission X is granted in the database.
+# 3) User revokes permission X
+# 4) Developers revoke permission X
+# 5) User upgrades. No change in permission X detected, (since devteam and user agree) so the user is not prompted to accept the change.
+# 6) User grants permission X again
+# 7) User upgrades again. At this point, we want the user to be warned that the devteam thinks granting this permission is not a good idea. 
+#    This is only possible if the non-change in #5 is not registered as KnownChange
+
+# Get a privilege set that fulfills the provided conditions
+  def get_privilege_set(conditions)
+    Cbac::PrivilegeSetRecord.first(:conditions => conditions)
+  end
+
+# Get a Hash containing all entries from the provided table
+  def select_all(table)
+    ActiveRecord::Base.connection.select_all("SELECT * FROM %s;" % table)
+  end
+
+# Generate a usable filename for dumping records of the specified type
+  def get_filename(type)
+    "#{ENV['SNAPSHOT_NAME']}/cbac_#{type}.yml"
+  end
+
+  def load_objects_from_yaml(type)
+    filename = get_filename(type)
+
+    Yaml.load_file(filename)
+  end
+
+# Dump the specified permissions to a YAML file
+  def dump_permissions_to_yaml_file(permissions)
+    permissions.each do |cp|
+      privilege_set_name = get_privilege_set(:id => cp['privilege_set_id']).name
+      cp['privilege_set_id'] = "<%= Cbac::PrivilegeSetRecord.find(:first, :conditions => {:name => '#{privilege_set_name}'}).id %>"
+    end
+    dump_objects_to_yaml_file(permissions, "permissions")
+  end
+
+# Dump a set of objects to a YAML file. Filename is determined by type-string
+  def dump_objects_to_yaml_file(objects, type)
+    filename = get_filename(type)
+
+    puts "Writing #{type} to disk"
+
+    File.open(filename, "w") do |output_file|
+      index = "0000"
+      output_file.write objects.inject({}) { |hash, record|
+        hash["#{type.singularize}_#{index.succ!}"] = record
+        hash
+      }.to_yaml
+    end
+  end
+
+  def get_cbac_pristine_adapter
+    adapter_class = Class.new
+    adapter_class.send :include, Cbac::CbacPristine
+    adapter_class.new
+  end
+
+  namespace :cbac do
+    desc 'Initialize CBAC tables with bootstrap data. Allows ADMINUSER to log in and visit CBAC administration pages. Also, if a Privilege Set called "login" exists, this privilege is granted to "everyone"'
+    task :bootstrap => :environment do
+      adapter = get_cbac_pristine_adapter
+      if adapter.database_contains_cbac_data?
+        if ENV['FORCE'] == "true"
+          puts "FORCE specified: emptying CBAC tables"
+          adapter.clear_cbac_tables
+        else
+          puts "CBAC bootstrap failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
+          exit
+        end
+      end
+
+      adminuser = ENV['ADMINUSER'] || 1
+      login_privilege_set = get_privilege_set(:name => "login")
+      everybody_context_role = ContextRole.roles[:everybody]
+      if !login_privilege_set.nil? and !everybody_context_role.nil?
+        puts "Login privilege exists. Allowing context role 'everybody' to use login privilege"
+        login_permission = Cbac::Permission.new(:context_role => 'everybody', :privilege_set_id => login_privilege_set.id)
+        throw "Failed to save Login Permission" unless login_permission.save
+      end
+
+      puts "Creating Generic Role: administrators"
+      admin_role = Cbac::GenericRole.new(:name => "administrator", :remarks => "System administrators - may edit CBAC permissions")
+      throw "Failed to save new Generic Role" unless admin_role.save
+
+      puts "Creating Administrator Membership for user #{adminuser}"
+      membership = Cbac::Membership.new(:user_id => adminuser, :generic_role_id => admin_role.id)
+      throw "Failed to save new Administrator Membership" unless membership.save
+
+      begin
+        admin_privilege_set_id = get_privilege_set({:name => 'cbac_administration'}).id
+      rescue
+        throw "No PrivilegeSet cbac_administration defined. Aborting."
+      end
+      cbac_admin_permission = Cbac::Permission.new(:generic_role_id => admin_role.id, :privilege_set_id => admin_privilege_set_id)
+      throw "Failed to save Cbac_Administration Permission" unless cbac_admin_permission.save
+
+      puts <<EOF
+**********************************************************
+* Succesfully bootstrapped CBAC. The specified user (# #{adminuser} ) *
+* may now visit the cbac administration pages, which are *
+* located at the URL /cbac/permissions/index by default  *
+**********************************************************
+EOF
+    end
+
+    desc 'Extract a snapshot of the current authorization settings, which can later be restored using the restore_snapshot task. Parameter SNAPSHOT_NAME determines where the snapshot is stored'
+    task :extract_snapshot => :environment do
+      if ENV['SNAPSHOT_NAME'].nil?
+        puts "Missing argument SNAPSHOT_NAME. Substituting timestamp for SNAPSHOT_NAME"
+        require 'date'
+        ENV['SNAPSHOT_NAME'] = DateTime.now.strftime("%Y%m%d%H%M%S")
+      end
+
+      if File::exists?(ENV['SNAPSHOT_NAME']) # Directory already exists!
+        if ENV['FORCE'] == "true"
+          puts "FORCE specified - overwriting older snapshot with same name."
+        else
+          puts "A snapshot with the given name (#{ENV['SNAPSHOT_NAME']}) already exists, and overwriting is dangerous. Specify FORCE=true to override this check"
+          exit
+        end
+      else # Directory does not exist yet
+        FileUtils.mkdir(ENV['SNAPSHOT_NAME'])
+      end
+
+      puts "Extracting CBAC permissions to #{ENV['SNAPSHOT_NAME']}"
+
+      # Don't need privilege sets since they are loaded from a config file.
+      staged_changes = select_all "cbac_staged_permissions"
+      dump_objects_to_yaml_file(staged_changes, "staged_permissions")
+
+      staged_roles = select_all "cbac_staged_roles"
+      dump_objects_to_yaml_file(staged_roles, "staged_roles")
+
+      permissions = select_all "cbac_permissions"
+      dump_permissions_to_yaml_file(permissions)
+
+      generic_roles = select_all "cbac_generic_roles"
+      dump_objects_to_yaml_file(generic_roles, "generic_roles")
+
+      memberships = select_all "cbac_memberships"
+      dump_objects_to_yaml_file(memberships, "memberships")
+
+      known_permissions = select_all "cbac_known_permissions"
+      dump_objects_to_yaml_file(known_permissions, "known_permissions")
+    end
+
+    desc 'Restore a snapshot of authorization settings that was extracted earlier. Specify a snapshot using SNAPSHOT_NAME'
+    task :restore_snapshot => :environment do
+      adapter = get_cbac_pristine_adapter
+      if ENV['SNAPSHOT_NAME'].nil?
+        puts "Missing required parameter SNAPSHOT_NAME. Exiting."
+        exit
+      elsif adapter.database_contains_cbac_data?
+        if ENV['FORCE'] == "true"
+          puts "FORCE specified: emptying CBAC tables"
+          adapter.clear_cbac_tables
+        else
+          puts "Reloading snapshot failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
+          exit
+        end
+      end
+
+      puts "Restoring snapshot #{ENV['SNAPSHOT_NAME']}"
+
+      ENV['FIXTURES_PATH'] = ENV['SNAPSHOT_NAME']
+
+      # Don't need privilege sets since they are loaded from a config file.
+      ENV['FIXTURES'] = "cbac_generic_roles,cbac_memberships,cbac_known_permissions,cbac_permissions,cbac_staged_permissions, cbac_staged_roles"
+
+      Rake::Task["db:fixtures:load"].invoke
+      puts "Successfully restored snapshot."
+      #TODO: check if rake task was successful. else
+      #  puts "Restoring snapshot failed."
+      #end
+    end
+
+    desc 'Restore permissions to factory settings by loading the pristine file into the database'
+    task :pristine => :environment do
+      adapter = get_cbac_pristine_adapter
+      if adapter.database_contains_cbac_data?
+        if ENV['FORCE'] == "true"
+          puts "FORCE specified: emptying CBAC tables"
+        else
+          puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
+          exit
+        end
+      end
+
+      if ENV['SKIP_SNAPSHOT'] == 'true'
+        puts "\nSKIP_SNAPSHOT provided - not dumping database."
+      else
+        puts "\nDumping a snapshot of the database"
+        Rake::Task["cbac:extract_snapshot"].invoke
+      end
+      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
+      puts "Parsing pristine file #{filename}"
+      pristine_file = adapter.find_or_create_pristine_file(filename)
+      adapter.set_pristine_state([pristine_file], true)
+      puts "Applied #{pristine_file.permissions.length.to_s} permissions."
+      puts "Task cbac:pristine finished."
+    end
+
+    desc 'Restore generic permissions to factory settings'
+    task :pristine_generic => :environment do
+      adapter = get_cbac_pristine_adapter
+      if adapter.database_contains_cbac_data?
+        if ENV['FORCE'] == "true"
+          puts "FORCE specified. Dropping all generic permissions and replacing them with generic pristine"
+          adapter.delete_generic_known_permissions
+          adapter.delete_generic_permissions
+        else
+          puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
+          exit
+        end
+      end
+
+      if ENV['SKIP_SNAPSHOT'] == 'true'
+        puts "\nSKIP_SNAPSHOT provided - not dumping database."
+      else
+        puts "\nDumping a snapshot of the database"
+        Rake::Task["cbac:extract_snapshot"].invoke
+      end
+
+      filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
+      puts "Parsing pristine file #{filename}"
+      pristine_file = adapter.find_or_create_generic_pristine_file(filename)
+      adapter.set_pristine_state([pristine_file], false)
+      puts "Applied #{pristine_file.permissions.length.to_s} permissions."
+      puts "Task cbac:pristine_generic finished."
+    end
+
+    desc 'Restore all permissions to factory state. Uses the pristine file and the generic pristine file'
+    task :pristine_all => :environment do
+      adapter = get_cbac_pristine_adapter
+      if adapter.database_contains_cbac_data?
+        if ENV['FORCE'] == "true"
+          puts "FORCE specified: emptying CBAC tables"
+        else
+          puts "CBAC pristine failed: CBAC tables are nonempty. Specify FORCE=true to override this check and empty the tables"
+          exit
+        end
+      end
+
+      if ENV['SKIP_SNAPSHOT'] == 'true'
+        puts "\nSKIP_SNAPSHOT provided - not dumping database."
+      else
+        puts "\nDumping a snapshot of the database"
+        Rake::Task["cbac:extract_snapshot"].invoke
+      end
+      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
+      generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
+      puts "Parsing pristine file #{filename} and generic pristine file #{generic_filename}"
+      pristine_file = adapter.find_or_create_pristine_file(filename)
+      generic_pristine_file = adapter.find_or_create_generic_pristine_file(generic_filename)
+      adapter.set_pristine_state([pristine_file, generic_pristine_file], true)
+      puts "Applied #{pristine_file.permissions.length.to_s} permissions and #{generic_pristine_file.permissions.length.to_s} generic permissions."
+      puts "Task cbac:pristine_all finished."
+    end
+
+    desc 'Upgrade permissions by adding them to the staging area. Does not upgrade generic permissions'
+    task :upgrade_pristine => :environment do
+      adapter = get_cbac_pristine_adapter
+      if ENV['SKIP_SNAPSHOT'] == 'true'
+        puts "\nSKIP_SNAPSHOT provided - not dumping database."
+      else
+        puts "\nDumping a snapshot of the database"
+        Rake::Task["cbac:extract_snapshot"].invoke
+      end
+
+      ENV['CHANGE_TYPE'] = 'context'
+      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
+      puts "Parsing pristine file #{filename}"
+
+      pristine_file = adapter.find_or_create_pristine_file(filename)
+      adapter.delete_non_generic_staged_permissions
+      puts "Deleted all staged context and administrator permissions"
+
+      adapter.stage_permissions([pristine_file])
+      puts "Staged #{adapter.number_of_non_generic_staged_permissions.to_s} permissions."
+      puts "Task cbac:upgrade_pristine finished."
+    end
+
+
+    desc 'Upgrade generic permissions by adding them to the staging area. Does not upgrade context or admin permissions.'
+    task :upgrade_pristine_generic => :environment do
+      adapter = get_cbac_pristine_adapter
+      if ENV['SKIP_SNAPSHOT'] == 'true'
+        puts "\nSKIP_SNAPSHOT provided - not dumping database."
+      else
+        puts "\nDumping a snapshot of the database"
+        Rake::Task["cbac:extract_snapshot"].invoke
+      end
+
+      ENV['CHANGE_TYPE'] = 'context'
+      generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
+
+      puts "Parsing pristine file #{generic_filename}"
+      generic_pristine_file = adapter.find_or_create_generic_pristine_file(generic_filename)
+
+      adapter.delete_non_generic_staged_permissions
+      puts "Deleted all staged generic permissions"
+
+      adapter.stage_permissions([generic_pristine_file])
+      puts "Staged #{adapter.number_of_generic_staged_permissions.to_s} generic permissions."
+      puts "Task cbac:upgrade_pristine finished."
+    end
+
+    desc 'Upgrade all permissions by adding them to the staging area.'
+    task :upgrade_all => :environment do
+      adapter = get_cbac_pristine_adapter
+      if ENV['SKIP_SNAPSHOT'] == 'true'
+        puts "\nSKIP_SNAPSHOT provided - not dumping database."
+      else
+        puts "\nDumping a snapshot of the database"
+        Rake::Task["cbac:extract_snapshot"].invoke
+      end
+
+      ENV['CHANGE_TYPE'] = 'context'
+      filename = ENV['PRISTINE_FILE'] || "config/cbac/cbac.pristine"
+      generic_filename = ENV['GENERIC_PRISTINE_FILE'] || "config/cbac/cbac_generic.pristine"
+      puts "Parsing pristine file #{filename} and generic pristine file #{generic_filename}"
+
+      pristine_file = adapter.find_or_create_pristine_file(filename)
+      generic_pristine_file = adapter.find_or_create_generic_pristine_file(generic_filename)
+
+      adapter.delete_generic_staged_permissions
+      adapter.delete_non_generic_staged_permissions
+      puts "Deleted all current staged permissions"
+
+
+      adapter.stage_permissions([pristine_file, generic_pristine_file])
+      puts "Staged #{adapter.number_of_non_generic_staged_permissions.to_s} permissions and #{adapter.number_of_generic_staged_permissions.to_s} generic permissions."
+      puts "Task cbac:upgrade_all finished."
+    end
+end